Ah, cool.  Thanks.  I've been thinking about doing the same thing for our local realms as well, but I would absolutely have to have some kind of log message for rejections or I won't be able to make it fly.

 

--J

 

From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius.org] On Behalf Of inverse
Sent: Thursday, February 13, 2014 8:32 AM
To: FreeRadius users mailing list
Subject: Re: PEAP auth rejected due to different inner and outer user-id

 

No, as for this server I don't keep failure auth/reply logs. However I forgot to mention this is currently affecting only our local realms for enrolled students and personnel. The "default" realm is authenticated on another server with no such restriction.

 

 

Inverse

 

On Thu, Feb 13, 2014 at 1:56 PM, McNutt, Justin M. <McNuttJ@missouri.edu> wrote:

When this occurs, do you get something in your log that tells you that this is the reason for the auth failure?

 

Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"?

Sent from my mobile device.


On Feb 11, 2014, at 8:52, "inverse" <inverse@ngi.it> wrote:

The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3


Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name.  Authentication failed.
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler

 

However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section:

if ( "%{outer.request:User-Name}" != "%{User-Name}" ){
                          reject
                        }       

which does exactly that. If you see something along these lines, you've found the source of your problems


Best regards,

Inverse

 

 

 

On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng@gmail.com> wrote:

Encountered the following issue.

 

Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




--
"In a sea of glass shards, I hear you screaming"
--icchan